[extropy-chat] Re: codes in scam letters
Eugen Leitl
eugen at leitl.org
Tue Sep 27 15:13:52 UTC 2005
On Tue, Sep 27, 2005 at 10:23:49AM -0400, mail at harveynewstrom.com wrote:
> If done correctly, steganography can theoretically be undetectable.
> However, in practice, it is almost never done so well.
Yes, many current packages leave a detectable signature. Very few ones
are quite difficult to detect.
> In the real world, image programs leave signatures inside the picture data
> so you can tell what program created the image. Often, this is explicitly
No problem, we're just after the payload data.
> stated within a tag that gives the program name, version, date, etc.
> Otherwise, the internal structure of the graphic can be analyzed to
> identify the original program. The programs also contain compression
> signatures that indicate what level of compression and what algorithms were
> used to reduce the image size. Again, this is often explicitly stated in a
> tag within the picture, or can be reverse-engineered by examining the
> internal structure of the compression.
No problem, we're just after the payload data.
> What this means is that it is trivial for a person to grab the image binary
> off the net, load it into the indicated program, and save it with the same
> compression level and method indicated. This should produce the exact same
This will change some bits in the headers, so I wouldn't use a commercial
program for that.
> binary, because all the structures, formatting and compression should
> already be exactly as that program and compression combination would
> produce them. There should be no noise or randomness that has not already
> been optimized away. If there is any change in the image when doing this,
All images from physical sensors have noise. No compression algorithm is
perfect. There's plenty of air to put a payload in P2P movies and RAW imagery.
> it indicates that the changed bits were tweaked after the original picture
> was produced and were not a natural product of the imaging software. These
> changed bits can then be isolated, extracted, and analyzed separately from
> the overall image information.
You don't have access to the "original" picture, however.
> Thus, it is trivial in most cases to extract and analyze any random bits
> introduced to the imaging after processing. Using this method, we can
> confirm that the vast majority of the pictures posted on the net are free
> from hidden messages. One would have to use a non-standard or unknown
Moreover, as cryptographic hashes are used to trace files on P2P
networks, we know that the files are not tampered with in transit.
> graphics format with zero or non-standard compression to produce images
> with messages hidden in them. Such a format could be detected as unusual.
There is no need to change the headers nor produce corrupt images if
you're hiding a few bits in a largish picture, or a few kbytes in a large
movie (4 GByte files are widespread on P2P networks).
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20050927/ceda5aa4/attachment.bin>
More information about the extropy-chat
mailing list